UK GDPR and data breach compensation: What you need to know

Personal information is a valuable commodity. However, careless corporate practices, human error, and cybercrime mean that this information is not safeguarded as well as it should be. Allowing personal data to fall into the wrong hands may result in severe financial losses, emotional distress, and loss of privacy. 

If an individual's personal data has been exposed as a result of a data breach in your company, they have the right to seek compensation.

Get all the details on how affected individuals can claim compensation in case of a data breach in your company, including the amount of compensation expected. Use these insights to get your company up to speed on data breach compensation.

In this blog post, we'll cover:


What counts as a data breach?

A data breach is defined as the unintended or purposeful disclosure of sensitive or confidential information to an unauthorised person or entity.

Breaches are common in service-based sectors with direct public interaction. Mobile phone companies, software companies, retail stores, and banks have all made headlines in recent years as a result of data security breaches. 

Affected persons can claim a compensation claim in situations such as:

  • When their privacy has been violated as a result of a whistleblower case.
  • If they believe their personal information has been exploited or mismanaged.
  • When their personal information was compromised as a result of cybercrime.
  • When their data has been lost or disclosed accidentally.
  • When a company or organisation violates the law by using their personal information for journalistic, artistic, or literary purposes without their consent.
  • If their personal information has been shared with a third party without their consent.
  • When an organisation fails to keep up-to-date, accurate information on them, and as a result, they suffer damage.


What is a GDPR data breach compensation claim?

A data breach compensation claim can be filed against a single individual, a company, or a group of defendants. In the claim, the affected individual accuses the defendant of being liable for the disclosure of their personal information and requests monetary compensation for the damages caused.

The existing law permits people to sue for both the financial and non-material damages caused by the violation, such as loss of money and emotional distress.


Who can make a data breach compensation claim?

The GDPR was implemented in 2018 in response to the rising occurrence of data breaches. The GDPR strives to safeguard individuals and provide them control over their data in the event that it is held by a third party. The term "third-party" refers to social media platforms, online services, and offline stores.

If a person suspects their data has been compromised, the GDPR regulations allow them to file a data breach claim. They have the right to seek compensation if an organisation has caused them harm or distress by violating any aspect of the UK Data Protection Act.

However, the affected person must first try to arrange an out-of-court deal with the defendant. If a data breach happened in your organisation, the defendant in this case would be you.

If you refuse to accept their request or cannot reach an agreement outside of court, they have the right to take the case to court and file a legal claim. But the person would need to first notify you about their intention to pursue the matter in court.


What do affected persons need to show before making a claim for a data breach?

For the compensation claim to be successful, the affected individual must show that you, as their data handler, failed to take all reasonable means to protect the safety and security of their data and that their data was shared or made available to other third parties or organisations without their consent as a result of your data breach.

Any company that deals with personal data owes those persons certain rights, and they can file a claim if:

  • The data might have been lost or hacked, resulting in the breach.
  • Their information was sent to a third party without their permission.
  • Your company's information had not been updated, and the misinformation had caused them harm.
  • Inappropriate use of personal information had occurred. 


When are individuals eligible for data breach compensation?

The affected persons have the right to file a data breach claim for up to £2,000 or more in compensation under the DPA and GDPR if:

  • Their personal information has been leaked, exposed, damaged, hacked, misappropriated, or lost.
  • It was a planned or unintentional breach.
  • The breach had occurred within less than six years.
  • The breach affected them emotionally and caused mental distress 
  • They were given free credit monitoring or anything similar by your company. 


How much data breach compensation can an affected person receive?

The average monetary compensation for a data breach ranges from £1,000 to £42,900. In some situations, if a personal data breach causes an individual considerable emotional distress, they may be eligible to seek further compensation.

The amount of compensation for a data breach varies depending on the type of breach and the court decision.

Different types of data breach compensations

The figures below can be used as a general estimate of how much compensation you could be entitled to as a result of various kinds of breaches. 

  • For a minor breach of personal data, such as your name, date of birth, home address, and email address, the lowest compensation is offered. For such violations, you may be entitled to compensation of up to £2,000.
  • For a breach of medical information, you are entitled to a higher reimbursement, ranging from £2,000 to $5,000.
  • If your financial information is stolen, you may be entitled to compensation ranging from £3,000 to £8,600, depending on the severity of the incident.
  • For more significant data protection breaches that have resulted in catastrophic repercussions, you can obtain anything from £8,600 to £25,700.
  • If the data breach has caused you bodily or emotional harm, you may be entitled to compensation of up to £42,900. You must, however, present proof of your physical condition and financial losses in such circumstances. 
Types of Compensations Compensation Amounts
Personal Data Breach Up to £2,000 
Medical Data Breach £2,000 - £5,000 
Financial Information Breach £3,000 - £8,600 
Catastrophic Repurcussion Breach £8,600 - £25,700 
Breach that caused physical or emotional distress Up to £42,900 

It is crucial to remember that these are only approximate figures. The court will determine your precise compensation amount. If the court determines that you have not presented enough proof for your case, it may refuse your compensation request. In such a circumstance, the court may even require you to pay the defendant's legal fees. 

What is the time limit to file a data breach claim?

Affected individuals have six years to file a claim in the United Kingdom. This implies that if their data was leaked in the previous six years, they may now file a compensation claim.

If they fail to comply with or recognise the appropriate limitation period or date, they may lose their right to request the claim. If their claim involves a potential violation of their data rights, they must act immediately. 

Once again, a data breach compensation claim is only achievable if they are able to demonstrate that they have experienced financial losses, physical harm, threats or emotional distress as a result of the data breach in your company.


Do individuals affected by the data breach have to go to court to get compensation?

Persons affected by a data breach do not need to file a lawsuit in order to get compensation. It is possible that your organisation, for example, will simply agree to pay it. If you do refuse to pay, their next step will be to file a lawsuit. Then the matter would be decided by the court.

How much compensation will the court award if the data breach compensation claim is successful?

This will be decided by the judge hearing the case, who will consider all the facts. This includes the severity of the infringement and its impact on the affected person, especially when determining the amount of distress they experienced.

How much have previous data breach claims received in compensation?

Over time, the amount of money paid out in compensation for data breach claims has risen. Initial Data Protection Act breaches often resulted in damages of around £2,500 for revealing personal information.

However, as organisations have gathered more personal information, more cases have gone to court, setting new standards. The following are some of the most well-known recent data breaches.

Company What happened? Average Claim Amount
Easyjet  Hackers gained access to 9 million customers' personal information during a cyber-attack on Easyjet's IT servers. £2,000 
118 118 Money  Hackers targeted customer call recordings in which personal information might have been shared. £1,500 
Blackbaud  A cyber-attack on software company Blackbaud stole confidential information that impacted other organisations related to them, including National Trust. £2,000-£3,000 
Bounty  Personal data of pregnant women and mothers were disclosed to third parties for marketing reasons, totalling about 35 million pieces of information. £1,000 – £2,000 
Bristol City Council  Hundreds of families with handicapped children had their names disclosed without their consent due to an email error made by a council employee. £2,000-£3,000 
British Airways   420,000 consumers' personal and financial information was taken in a breach. Up to £6,000 
Claire’s Accessories  During online checkout, a hacker used malicious code to collect client information. £3,000 – £5,000 
Dixons  Malware on store tills accessed over 10 million customer details in a hack. £1,500 
Equifax  Cyber hackers gained access to Equifax's computers in the United States and stole the personal information of 146 million individuals all over the world. £1,000 – £2,000 
Equiniti  Hundreds of Sussex police officers' yearly benefit statements were issued to the wrong addresses. £1,000 – £2,000 
Hockley Medical Practice  Hackers gained access to the medical records of thousands of patients.   £3,000 
Lloyds Pharmacy  A delivery organisation delivered private medical information to a property in Scotland by mistake. £1,500 
LOQBOX  Hackers gained access to personal data and, in some circumstances, credit card data as a result of a cyber-attack. £4,000 
Marriott  7 million visitor records in the UK were impacted by a cyber-attack in 2014 that was not found until 2018 £2,500 
National Trust  Although the breach started with Blackbaud, it impacted National Trust fundraisers and volunteers since personal information was exposed. £2,000-£3,000 
OnePlus  Personal data was stolen by cyber thieves when information was hacked through an online retailer £1,500 – £2,000 
T-Mobile  Hackers gained access to personal information of over 1.2 million prepaid users as a result of the breach. £1,500 – £2,000 
TeamSport  Hundreds of former employees' personal and financial data were accidentally released to an individual.   £4,000 
Ticketmaster  Cyber hackers stole the personal and financial information of 40,000 consumers.   £5,000 
Twitter  The private tweets of 88,726 Twitter users were made public due to a glitch. £1,000 
Virgin Media  Personal information of current and future clients was accessed without consent due to an insecure database. £5,000 
Watford Community Housing   Due to a staff member's error, emails containing personal information on 3,545 renters were sent out. £2,000 
Zoom  Targeted by a cyberattack that resulted in the selling of about 500,000 user accounts on the dark web £2,500 


How to ensure data privacy and avoid data breaches in your organisation

As we've explored, individuals have significant rights under the GDPR, particularly in relation to data breaches. This reality presents an important opportunity for businesses. Being responsible with data not only builds trust with your customers, it's also a legal necessity.

Understanding GDPR and implementing a robust data protection strategy is essential for today's businesses. With DataGuard's Privacy-as-a-Service, you can ensure that your business not only complies with these regulations but also demonstrates a commitment to data security.

Protect your business and your customers by exploring our tailored data protection solutions. Find out how we can help your business stay secure and compliant.

Do you have unanswered questions about data breach compensation? Don't hesitate to reach out to us for a free consultation.

GDPR for small businesses 212x234 UK GDPR for small businesses 800x600 MOBILE UK

Strengthen your privacy

Are you a small business trying to understand how the GDPR applies to your organisation?
Learn how!

Download now!

About the author

DataGuard Privacy Experts DataGuard Privacy Experts
DataGuard Privacy Experts

Dive into the world of data protection, compliance, ethics, and data security with hands-on advice and actionable opinions from our certified Data Protection Officers and Privacy Consultants from Germany, the UK, and Austria. Coming from a wide range of backgrounds like business, legal, tech, or marketing, our specialists share the latest news and solutions to current challenges, as well as their takes on recent judgements and legal decisions with you. Their aim? Enable you to make the right decisions and keep your business safe, build trust, and grow revenue while remaining compliant with current privacy laws. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional/Europe (IAPP), Certified Information Privacy Manager (IAPP) Information Security, Certified Information Privacy Technologist (IAPP), Certified Practitioner in Data Protection (BCS), Certified Data Protection Officer (TÜV), Fellow of Information Privacy (IAPP), Certified EU General Data Protection Regulation Practitioner (IBITGQ), Data Protection Officer & Europrivacy Auditor, Practitionier Certificate in Data Protection, PC.dp. (GDPR)

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk